NewSilicon Valley is coming. Reserve capacity

Blog/Article

How to master kubernetes load balancing: MetalLB + Cloudflare setup

Thumb K8s -5
Diego Lima

Running Kubernetes outside of public clouds reveals a stark contrast: the seamless automation you've grown accustomed to in managed environments doesn't translate directly to self-managed infrastructure. 

What feels effortless in EKS, GKE, or AKS requires deliberate configuration when you control the underlying hardware. This gap isn't a bug or a design flaw: it's the natural result of Kubernetes' modular architecture

Summary

Cloud platforms provide pre-integrated solutions for networking, storage, and load balancing which might be good or bad. When you move to bare metal, these integrated components disappear, leaving you to assemble the missing pieces yourself.

The Missing LoadBalancer Problem

In cloud environments, creating a LoadBalancer service triggers behind-the-scenes automation: IP assignment, external load balancer provisioning, and traffic routing. 

On bare metal, that same LoadBalancer service remains in a “pending” state indefinitely. Why? Because Kubernetes relies on external systems (usually cloud-native) to supply routable IP addresses and manage ingress.

While Kubernetes manages internal networking well (node IPs, pod IPs, service IPs), it offloads external IP management to the underlying infrastructure. Without a solution in place, your services are essentially invisible to the outside world.

NodePort and externalIPs: Incomplete Workarounds

Kubernetes offers NodePort as an alternative, exposing services on ports within a limited range across all nodes. This brings accessibility, but not without costs: non-standard ports, potential conflicts, extra proxy layers, and limited scalability. 

The externalIPs method also exists, but it requires manual IP management and lacks built-in failover, both of which are far from ideal for production workloads.

MetalLB: Making LoadBalancer Services Work on Bare Metal

MetalLB addresses Kubernetes' core limitation on physical hardware. It enables LoadBalancer services to function in environments where they would otherwise fail to initialize.

Address Allocation and IP Announcement

At its core, MetalLB handles two primary responsibilities: assigning IP addresses from predefined pools and announcing those IP addresses on your network. This enables services to become externally reachable, aligning bare metal clusters with cloud behavior.

With MetalLB, developers can deploy applications the same way they would in AWS or GCP. The difference? They retain complete control and transparency over infrastructure, which is ideal for performance-sensitive, latency-critical, or cost-conscious use cases.

Kubernetes-Native Configuration with CRDs

MetalLB uses Custom Resource Definitions (CRDs) like IPAddressPool, L2Advertisement, and BGPAdvertisement to define IP allocation and routing behavior. 

This approach integrates seamlessly with GitOps and infrastructure-as-code practices, making configuration versionable and auditable.

You get granular control over IP blocks, advertisement strategies, and failover policies, all through Kubernetes-native tools.

Choosing the Right Mode: Layer 2 or BGP

MetalLB supports two primary operational modes:

  • Layer 2 mode uses ARP to respond to service IPs. It's simple, requires no special hardware, and works well in basic setups, but it can create traffic bottlenecks.

  • BGP mode enables true load distribution and horizontal scalability. It integrates directly with your routers, supporting ECMP for traffic load balancing and improved failover.

For more advanced needs, FRR mode (introduced in MetalLB v0.13.0) features BFD (Bidirectional Forwarding Detection) and enhanced IPv6 support, providing high-availability networking tailored for modern applications.

Cloudflare: Managing the Edge and Beyond

MetalLB solves the in-cluster problem. But without a smart, secure, and resilient edge, you still leave your Kubernetes services exposed or even inaccessible. That’s where Cloudflare steps in.

Evolving from DNS to Global Traffic Intelligence

Cloudflare began as a DNS provider but evolved into a comprehensive edge network. It now offers a global CDN, DDoS protection, intelligent load balancing, and application-layer security, all of which are critical for self-hosted Kubernetes clusters.

When running Kubernetes on bare metal, Cloudflare fills the visibility, security, and performance gaps that cloud platforms abstract away. It becomes your entry point to the internet and your frontline defense.

Cloudflare Load Balancers: Smarter Global Routing

Cloudflare Load Balancers integrate smoothly with MetalLB. While MetalLB manages IPs within your cluster, Cloudflare distributes external traffic across those IPs using health checks, geographic proximity, and real-time load metrics.

This ensures lower latency for global users, instant failover in case of node outages, and automatic traffic steering, all without relying on expensive third-party appliances.

Zero Trust at the Network Edge

Bare metal setups give you complete control, but that also means full responsibility. Implementing Zero Trust architecture is essential to securing these environments.

With Cloudflare Access, you can enforce authentication, device posture, and identity-based policies before traffic even touches your cluster. This helps create a security model that’s both modern and manageable—aligning perfectly with infrastructure you own and operate yourself.

Why MetalLB + Cloudflare Is a Good Choice for Bare Metal Kubernetes

For teams building serious infrastructure outside of hyperscaler clouds, the MetalLB-Cloudflare combo provides everything Kubernetes expects without sacrificing the performance, privacy, or cost advantages of bare metal.

  • No vendor lock-in. Full control over IPs, failover, routing, and security.

  • Cloud-grade performance. Predictable throughput and fast failover using BGP and ECMP.

  • Built-in security. Cloudflare's edge protects your services with Zero Trust principles and DDoS mitigation.

  • Unified visibility. One architecture to rule both internal and external networking paths.

Together, MetalLB and Cloudflare create a unified, resilient, and cloud-like experience.

Take Control of Your Infrastructure, Join Latitude.sh

At Latitude.sh, we make it easy to run Kubernetes on bare metal, with all the performance, control, and flexibility that cloud platforms can’t match. 

Whether you're deploying latency-sensitive workloads or simply want complete visibility into your infrastructure, our platform was built to support modern orchestration at scale.

Explore our step-by-step guide to get started, and see how Latitude.sh helps you simplify networking, reduce overhead, and stay in control of your stack without sacrificing the capabilities your applications depend on.

Join Latitude.sh today and experience bare metal Kubernetes the way it was meant to run.

FAQs

Q1. What is MetalLB, and why is it important for Kubernetes? 

MetalLB is a load balancer implementation for bare metal Kubernetes clusters. It's crucial because it bridges the gap between Kubernetes' cloud-native expectations and bare metal realities, providing IP allocation and load balancing capabilities that are typically missing in non-cloud environments.

Q2. How does Cloudflare enhance Kubernetes load balancing? 

Cloudflare complements Kubernetes load balancing by providing advanced external traffic management, security features, and intelligent routing. It serves as a sophisticated edge solution, providing DDoS protection, Web Application Firewalls, and smart traffic distribution across endpoints.

Q3. What are the main operational modes of MetalLB? 

MetalLB primarily operates in two modes: Layer 2 mode, where one node handles each service IP, and BGP mode, which enables true load balancing by establishing peering sessions between cluster nodes and network routers. There's also an FRR mode that offers enhanced BGP capabilities.

Q4. How does the MetalLB + Cloudflare stack improve network resilience? 

This combination provides multiple layers of redundancy. MetalLB's BGP mode with FRR support enables fast failure detection, while Cloudflare's load balancers offer automatic failover capabilities. Together, they ensure high availability and quick rerouting during network disruptions.

Q5. What are the security benefits of using MetalLB with Cloudflare? 

The MetalLB + Cloudflare stack aligns with zero trust principles. Cloudflare provides robust security features that protect your cluster before traffic reaches it, while keeping your actual infrastructure hidden. This setup facilitates comprehensive security across both external and internal traffic paths.